This article is focused on ''security'', since the gateway is connected directly to the Internet. It shouldn't run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run HTTPd, FTPd, Samba, NFSd, etc. those belong on a server on the LAN or DMZ (if you want to make these services available to the outside world) as they can introduce security flaws.

This article is focused on ''security'', since the gateway is connected directly to the Internet. It shouldn't run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run HTTPd, FTPd, Samba, NFSd, etc. those belong on a server on the LAN or DMZ (if you want to make these services available to the outside world) as they can introduce security flaws.

−

This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet_Share]].

+

This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].

This article is focused on security, since the gateway is connected directly to the Internet. It shouldn't run any services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run HTTPd, FTPd, Samba, NFSd, etc. those belong on a server on the LAN or DMZ (if you want to make these services available to the outside world) as they can introduce security flaws.

This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see Internet Share.

Hardware Requirements

At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.

At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.

A hub, switch or UTP cable: You need a way to connect the other computers to the gateway

Conventions

Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.

intern0: the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.

extern1: the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.

Installation

A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.

Partitioning

For security purposes, /var, /tmp and /home should be separate from the / partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the gparted livecd can be used to resize, move, or create new partitions.

Your home and root partitions can be much smaller than a regular install since this isn't a desktop machine. /var should be the largest partition - it's where databases, logs and long-term caches are stored. If you a lot of RAM, mounting /tmp as tmpfs is a good idea, so making a disk partition for it during the initial install is unnecessary.

Post-Installation

After installation boot Arch and upgrade all the packages to their latest version:

Network interface configuration

Persistent naming

IP configuration

Open /etc/rc.conf once more and scroll down to the network config section. Here's where you define how your network cards should obtain their IP. The LAN card will have a static IP, I'm going with 10.0.0.1 because it's easy to type. I'm building a gateway for a small student home with 4 rooms so I'm keeping the subnet fairly small: 4 bits allow 16 IP's.

16 - 3 IP's:

one for the network address: 10.0.0.0

the gateway: 10.0.0.1

and the broadcast address: 10.0.0.15 leaves 13 IP's for computers on the LAN. This translates into:

ADSL connection

Using rp-pppoe, we can connect an ADSL modem to the eth1 of the firewall and have Arch manage the connection. Make sure you put the modem in bridged mode though, otherwise the modem will act as a router too.

# pacman -S rp-pppoe

Configuration: rp-pppoe

/usr/sbin/pppoe-setup

The questions are all documented. You can select "no firewall" because we'll let Shorewall / iptables handle that part.

There's a bug in the package, so we need to manually create a symbolic link:

ln -s /usr/sbin/pppd /sbin/pppd

Everything should be in place.

/etc/rc.d/adsl start

DNS and DHCP

dnsmasq

We'll use dnsmasq, a DNS and DHCP daemon for the LAN. It was specifically designed for small sites.

First, install dnsmasq:

# pacman -S dnsmasq

Now, dnsmasq needs to be configured. To do this:

Edit /etc/dnsmasq.conf and add the following lines

interface=intern1 # make dnsmasq listen for requests only on intern1 (our LAN)
expand-hosts # add a domain to simple hostnames in /etc/hosts
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when
# "expand-hosts" is used)
dhcp-range=10.0.0.2,10.0.0.14,255.255.255.240,1h # defines a DHCP-range for the LAN:
# from 10.0.0.2 to .14 with a subnet mask of 255.255.255.240 and a
# DHCP lease of 1 hour (change to your own preferences)

Somewhere below, you'll notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it'll get the same IP. That's very useful for network servers with a DNS record. You can also deny certain MAC's from getting an IP. Evil!! ^_^
Now start dnsmasq

to see where the sample files are. cd into the directory "two-interfaces" and copy the contents to the /etc/shorewall/ directory.
Now use Shorewall's guide to set up the files correctly.

Read the document carefully. Take special care to change eth0 and eth1 (or ppp0 in if you're using PPPoE where appropriate in your config files as the Shorewall guide uses different names for the interfaces. When you've followed it thoroughly, make the following changes:

/etc/shorewall/interfaces : add "dhcp" to the loc line to allow computers on the LAN to make use of our DHCP server

/etc/shorewall/rules : add

ACCEPT loc $FW TCP 2367

but change 2367 into whatever port you have your SSH server listening on.

Finally, run

# /etc/rc.d/shorewall start

From here on, the Arch box is operational. Connect a hub or switch to eth0 and a computer to the LAN to test it.

Port forwarding (DNAT)

/etc/shorewall/rules : here's an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.

DNAT net loc:10.0.0.85:80 tcp 5000

Cleanup

Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.

First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):

$ pacman -Qm

Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.

$ pacman -Qet

Completely remove the packages you don't need along with their configuration files and dependencies:

# pacman -Rsn package1 package2 package3

Logrotate

You should review the logrotate configuration to make sure the box isn't brought down by lack of diskspace due to logging.

Logrotate is installed by default, so you won't have to install it.

Optional additions

Remote administration

OpenSSH can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).

Caching web proxy

See Squid or Polipo for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.

Time server

Then, configure shorewall or iptables to allow NTP traffic in and out.

# nano /etc/shorewall/rules

NTP/ACCEPT loc $FW
NTP/ACCEPT $FW net

# /etc/rc.d/shorewall/restart

Content filtering

Install and configure DansGuardian if you need a content filtering solution.

Traffic shaping

Traffic shaping is very useful, especially when you're not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there's everything in between.

At the bottom of the file, there's a list of includes. These define which rules you want to enforce. (Un)comment as you please. You should check that the corresponding file exists, as for me, none of the rules files were present.

Now Snort will run as user snort in group snort. Should improve security. The other options make it log to /var/log/snort in ASCII mode. Run snort -h to see other available options.

I've been running my router for 12 days now, and using the above snort options, I had around 120MB of logs! So I changed the -A switch to "-A none". This only logs alerts. I didn't know what to do with all the logs anyway.

Update the rules: Oinkmaster

If you want to be able to download Snort's latest rules, you'll need a subscription. This costs money. If you're happy enough with 5 days old rules, you just need to register for free. If you don't, the only updates you'll get are the new rules distributed with a new Snort release.
Go ahead and register at Snort. If you really don't want to register, you can use the rules from BleedingSnort.com. They're bleeding edge, meaning they haven't been tested thoroughly.

Oinkmaster setup

Edit Template:Filename and look for the URL section and uncomment the 2.4 line. Make sure to replace <oinkcode> by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.

When you log into your new account, create an "Oink code".
Another thing to change is